Hi Experts,
I am new to ForgeRock IDM and request your help in undertanding possible options for a certain use case analysis before doing the design.

Background:
XYZ organization have dozens of customers. IDM is being considered for Customer entitlements management. XYZ organization makes one of the user from customer company as admin user. Later this admin user of the customer can create and manage customer users and their entitlements. Entitlements management comprises of multiple entities for e.g. Customer, Services (which customer company has bought from organization) Accounts (over which the services are granted) and users. Entitlements are given at each of these entities level. There are dozens of such customers and each customer manages its own users and entitlements.

Requirement:
Customer admin user logon to custom entitlements management UI and grants certain entitlements to a user. Now this request has to be sent from UI to IDM via REST. Before IDM accepts this request and updates its own internal repository and subsequently synchronize this data with some directory server for e.g. OpenDJ. We want IDM to make some validations w.r.t this request. For e.g. IDM must check if user is active, if user belongs to same customer company whose admin user has submitted the request, if service for which user is given entitlements is among one of the service which customer company has bought from the organization, if the type of entitlements ( authorize, create etc.) admin is trying to give to user for a service is allowed via the accounts that user is authorized to make use of.

In short once admin makes certain entitlements updates for a user via the custom UI and submit, this must be passed as a request to IDM. IDM must decide whether this is a valid request by checking certain attributes from different database tables. If invalid request, IDM must return the result as invalid to UI, if valid request, IDM must update its own internal repository and subsequently update OpenDJ.

My understanding:
IDM can’t do validations while accepting the request. As it works on trusted source philosphy. Any data sent via REST API from custom UI will be accepted as is and IDM’s managed object will be updated. After IDM internal repository is updated and before this data is sent to OpenDJ, in the mapping>Association>Individual record validation option can be used to perform validations OR we can include certain scripts at connectors level. I understand these validations can be done in the request API itself and then validated request gets passed on to IDM. However we want IDM to orchestrate all such requests. Even if some API has to be called, IDM must get the request and call some API to do validations and then update user entitlements data.

I think, it won’t be possible to validate the incoming request (via REST API) first hand itself, IDM has to hold that information before appying any validation logic, since there are no connectors here and request is coming directly via REST API, IDM inbuilt functionalities for scripts/workflows can’t be used?

Please let me know if my understanding is correct or if there are ways to make this possible.

I dont know where you got this idea, but its completely wrong. Setting up rest api endpoints and applying validations on the request before any updates to managed objects is a core capability of IDM. You have the full scope of javascript or groovy to write your validations in, and you then decide to return errors to the caller, or to create/update one or more managed objects.

@jgoers I Apologies for being so naive :) But, as I mentioned I am new in this area hence seeking expert advice.
Could you please guide me where should I write the validations (checking certain attribute values from few database tables) should it be at – Managed Object>User>Scripts ?
I hope your answer holds true even for the scenario where we don’t want to store data in IDM but just receive REST API requests, apply validation in IDM and update target system (for e.g. OpenDJ)